Vidar

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Type
Trojan
Origin
ex-USSR
First seen
1 December, 2018
Last seen
2 August, 2021
Also known as
Arkei
Global rank
20
Week rank
21
Month rank
19
IOCs
8453

What is Vidar / Arkei malware?

Vidar is an information stealer Trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected systems, take screenshots, steal cryptocurrency, and more.

General description of Vidar malware

Vidar is presumed to have originated in a Russian-speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another cyber threat that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

Vidar is written in the C++ programming language. Purchasing account grants the attacker access to a control panel where the cybercriminal can set up the malware to target particular information on the victims’ PC. Like Arkei, cybercriminals need to take precautions to secure the main payload themselves, using crypto or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that Vidar uses domain names to search for C&C servers, where stolen data is being dropped, change every four days.

Vidar is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information, including banking and credit card details. In addition, the malware can search for cryptocurrency wallet information, take screenshots and record private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar malware analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar.

arkei execution process graph

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

According to the analysis, after the user downloads and runs a malicious file, it spawns a child process and collects information from the infected system. Often, after the information was collected, the malware kills and deletes itself from the system through a command-line command.

How to avoid infection by Vidar malware?

When spread via spam email campaigns, the Vidar stealer requires the user to download and run a malicious file to enter an active state and begin execution. Therefore, following some basic cybersecurity rules can ensure that users will stay safe from this malware.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar, which uses these attack vectors to infect victims.

The distribution process of Vidar

Like other malware, Vidar / Arkei is distributed through spam email campaigns as a malicious attachment. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar targets users all over the world, except some ex-USSR countries, including Russia.

How to detect Vidar using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Arkei trojan using ANY.RUN's "Static Discovering" during your analysis. Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is click on the file.

arkei vidar log file Figure 3: Arkei's log file

Conclusion

Vidar / Arkei is a hazardous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including steal select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures.

IOCs

IP addresses
208.95.112.1
88.99.66.31
116.202.183.50
204.11.56.48
18.221.195.49
108.167.158.96
199.59.242.150
141.8.192.151
192.185.41.224
104.21.48.75
185.38.151.11
103.99.1.60
5.23.50.127
5.101.153.227
195.20.55.236
43.225.55.117
111.90.150.191
95.216.102.241
95.216.102.241
172.67.129.234
Hashes
3d8edfcc27cdc98d2f079dd77712099ff142c3a38bc04ca7b2bc64f93d5f834e
10a381f18dfe5b20f91eb637989cc65ce78580f0f747bc80ead4da54ecef60bd
bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
39a4f228fb90f91ac83eb32311a3c59af724b57b5c4a3b1d1573046600028fb1
cd11fc0c00ef3b5623632acc35ec34583583ed3aec9ee54e9bce88f1abaecb3d
e5cfbeb6e53527b724d1a710c44dd7f86a0befadb35db2c81ee1ec9aafd12b40
87cc5d85b8cfd8c3fceff58c1ac8fa30724f84c07bd5353b305f65e0365ec96e
73adc4f8c639efed8cba93067add595c009cc10fe2b4ffa9b7fff199d0d7af7d
4a7a13306aeea01b94b11c01d682a6221dc4d1b2dcea3fd2948e28d60b54213b
b6a2804c7e2c682aed6ecdb05eb7c79f1a823753f4bbccb81dbf69bc8930cf8b
773197dfe8b35351242b81c1ba189b2745e2367357b806c9a0529e3bf1495940
c0765fd53d64c425a848b89fa1168552fd2cae90984cfa14c0b7d4e0789fece7
3a76b115ac1eeefa07018ad2528d72a99f121a17834b4b2aa3928b52b6884b18
44cfcc419cae070fcd1d81f5b767ddd79a924b594265d0ef9e153b29bbbce82b
f5d5b68ad033335a06f341b7968209734cae7487ac80a3646843762bd1147e69
9ee35a82cd81c281bfcaa04c3c2d35841bf6bd75b6cbcefaaf43d6bc9aa454e0
ae7e5a7b34dc216e9da384fcf9868ab2c1a1d731f583f893b2d2d4009da15a4e
19b922855c5da407318831d9f90bba6bbc5a5d68088c7d2e05c2e1d16908463b
176a35e5ca43cd7cf3d57ede8f58873afed31ad6404a9a49d123c8e21a9e8bda
a48ca5ac24da4b68de42bfcbc752e20382d21abccf6634124cf29fab4d049ed7
Domains
booking.msg.bluhotels.com
booking.msg.bluhotels.com
iplis.ru
2no.co
wellplayed.ug
playwell.ug
grab-indonesia.com
boatshowradio.com
majul.com
checkoutspace.com
www.themekiller.me
www.secondofferdelivery.com
startskip.com
www.startskip.com
foodandcot.com
www.cashbeet.com
www.transmissionrepairnow.com
www.report-download.com
bestbestbags.com
nethostnet.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More